Personal note - possible new project
I have often bounced ideas off you, and this is another one of those moments where I can use your input.
I'm thinking of building an issue tracker that's made specifically to track and triage security issues. Think Jira, but much more focused. It would:
- Pull in the list of issues/CVE's from your vulnerability scanners.
- Provide data about each CVE to help the triaging process . Like descriptions and cvss scores, but also whether your OS has fixed it, any blogposts with more details on the issue, things like that.
- Allow you to manage whitelisting in the tracker itself so it's not scanner dependant.
- Generate documentation on each CVE: it's information, assets affected, actions taken, for compliance and internal record keeping.
Have you ever been in a spot where this would have made your life better?
If so, I’d be very grateful for a reply with any thoughts you have. I only have my own perspective right now, and I could really use others.
Breaches and leaks
- Millions of Lion Air passenger records exposed and exchanged on forums: link.
- Medical images and details of 24.3 million patients left exposed on the Internet: link.
- Data of 24.3 million Lumin PDF users shared on hacking forum: link.
This feels like it deserves its own item. An unsecured database was found containing very detailed information on pretty much all the people of Ecuador. It included data on children, family trees, financials, and much more. The data came from the government and from private sources, but it belonged to some analytics company.
If you run Harbor, make sure you update fast. Anyone can make a call to the /api/users to create a user for themselves with full admin permissions.
There's apparently an old set of instructions and applications installed directly on SIM cards, that can be abused by having an attacker send an SMS to get a reply with the target's location. The legacy technology is still active in at least 30 countries. The researchers found that it's actively being exploited. Very interesting read.
Good ol' Tavis Ormandy, from Google's Project Zero, found a bug in LastPass that allows a malicious site to capture cached credentials that were used in the previous site you visited. It's not straight forward to exploit, from the sounds of it, but definitely a great find. LastPass extensions for Chrome and Opera were impacted, and have since been updated and fixed.
Two bits of cool Github news. If your project uses Composer, you can start using Github now to get security alerts for your dependencies. Also, Github has received certification as a CVE numbering authority, which means it will be able to assign CVE numbers on its own. It's only valid for open source projects though, but does mean that project owners can request a CVE for an issue from Github itself instead of through MITRE.
If you have a Chromebook you have the option to use it as a hardware security token, kind of like a Yubikey. But Google found an issue with the hardware related to that feature that can cause an attacker to obtain your private key. If you use it, you probably want to patch it.
Security researcher José Rodríguez, from many previous lockscreen bypasses fame, strikes again. If someone has physical access to your phone, it can be tricked into disclosing your contacts. It was found in the beta of iOS 13.
It's not a horrible issue, but what does suck is that Apple doesn't seem to want to pay out any kind of bug bounty. Not even the $1 gift card José asked for as a trophy. C'mon Apple. You can do better.
Well that is just plain cool. The end goal of the hacking contest is to take over a satellite, either through the ground station or directly with an emitter, and point its camera from the Earth to the moon. "A literal moon shot". Beautiful.
Nicely detailed list of some things to keep in mind for your Docker infrastructure.